Technical Writing Project Coversheet

Capstone Proposal Project Name: Securing the Universal Serial Bus Interface for the Enterprise Environment

Student Name: Steve Wild

_

Degree Program: Bachelor of Science in Information Technology – Security Emphasis

_

Mentor Name: Yolanda DuPree____________________________________________________

Signature Block: Student’s Signature: _______________________________________________________

Mentor’s Signature: _______________________________________________________

Running head: SECURING THE USB INTERFACE 1

Securing the Universal Serial Bus Interface for the Enterprise Environment Steve Wild Western Governor’s University

SECURING THE USB INTERFACE 2

Summary The USB interface is one vector of possible attack against a company and must be proactively defended against data theft, data loss, and corporate espionage in order for a company to maintain a secure enterprise environment, minimize downtime, and maximize productivity. Project Goals and Objectives There are several goals that will be accomplished during this project: explore the hardware problems, explore the software problems, explore the policy problems, and give real world examples. The objectives are: provide example hardware solutions, provide example software solutions, provide example policy solutions, and to provide a concise best practices guide in the conclusion. Project Deliverables The deliverables of this project are the review of other works, the discussion, and the conclusion. The review of other works will look at several different articles and reports from at least 5 different sources and review them within the scope of this project. The discussion will include the bulk of the content: hardware problems and solutions, software problems and solutions, policy problems and solutions, and a couple of real world examples. The conclusion will contain summarized best practice guidelines designed to be applicable to many situations and environments. Project Timeline and Milestones The project timeline is a total of 3 weeks. The first 2 weeks will be spent researching the necessary data. The last week will be spent writing the paper and

SECURING THE USB INTERFACE 3

conclusion then submitting them for grading. The milestones will be the conclusion of the research, the conclusion of the report, and the submission of the project. Review of Other Work SanDisk released a survey on April 9, 2008, regarding risk from unsecured USB flash drives. They found that a staggering 77 percent of corporate end users surveyed brought personal flash drives into the environment for work-related purposes. This is even more shocking when IT Managers surveyed expected to see an answer closer to 35 percent. In my experience, 77 percent is a little low. I believe the number should be much closer to 100 percent since it is likely that a few people answered the survey with what they thought the surveyors wanted to hear. With the release of Windows 7, Microsoft expanded upon their BitLocker encryption, originally offered as a package included in Windows Vista, with the release of BitLocker To Go, designed specifically for removable storage devices. Now network administrators are able to decide exactly how much freedom is required in their environment and adjust permissions as needed. They can allow only encrypted devices or allow read only access to unencrypted devices. To allow sharing of data with Windows XP, they can also allow read only access of BitLocker To Go encrypted devices (Microsoft, 2009). SC Magazine performed a similar, outdated study in 2007. They found many solutions available, but for the most part were very limited in scope and, while useable, ultimately not useful enough to be used in demanding enterprise environments. Ultimately, they were unable to find a comprehensive solution.

SECURING THE USB INTERFACE 4

TechTarget.com released a very inclusive wish list which follows much of my process throughout this investigation including: which devices are allowed, when those devices are allowed, who can use those devices, and which types of data can be transferred. They also mention that encryption should be enforced (Cobb, 2009). As usual for TechTarget.com, they give a very high level overview without going into any real depth. An undated Net-Security.org article gives a listing of recent incidents, including the oft-used incident outside of Bagram, Afganistan by the U.S. Army. It then goes on to describe risks and enterprise concerns including examples of data leakage, regulatory compliance, and lost data. The next section on possible solutions is quite glib at only 3 sentences rendering the 7 Steps to Securing Personal Storage Devices section, after which the article is titled, a shallow attempt. This article is possibly the best summary to be found on this topic and yet is quite lacking. This project will go into further detail regarding ways to secure the environment. There are many single topic articles to be found such as informIT’s USB Hacks paper regarding the U3 autorun procedure (Fogle, 2007). You can also find many white papers published on the National Institute of Standards and Technology’s website, nist.org, but these are not meant for consumption by executives. There is relatively little to be found that could be regarded as a comprehensive or conclusive guide. Hopefully, this project will provide a little headway in that direction.

SECURING THE USB INTERFACE 5

Discussion "The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location – and I'm not even too sure about that one." -- Dennis Hughes, FBI. IT Security has many possible vectors of attack ranging the entire gamut from accidental loss to data theft to hacktivism. These vulnerabilities can take many forms: viral, logical, physical, or even environmental. Contrary to popular opinion, the absolute greatest risk doesn’t come from the media hyped hackers, sitting in their parent’s damp, dark basement, coming in over the ‘net; instead it comes from those with physical access to hardware: employees, contractors, even government and corporate spies. While many people should take notice of someone walking in to or out of a building toting a computer under their arm, a tiny USB drive is much more discrete, easily hidden in pocket change or on a keychain, tossed in a backpack or a purse, even deviously hidden in mundane objects such as coffee cups or credit cards. These devices can be smuggled past the most stringent of security practices, into an organization’s most sensitive areas, like the one mentioned by Mr. Hughes. These devices can house something as simple as customer data or as complex as a program designed to wipe every hard drive squeaky clean. Because of these factors, the USB interface must be secured through hardware, software, and policy. There are many different attacks possible with a USB device, the most common of which is simple data theft. Customer data is valuable for many reasons, the least of which is the customer’s contact information that can be used by a competitor. There is also pricing data that a competitor can use to undercut you and steal your customers. Another method of corporate espionage involves reducing a competitor’s productivity. This could be performed by simply

SECURING THE USB INTERFACE 6

causing excessive network congestion or by disabling some cores on multi-core processors. These are attacks that are not expected and there is very little defense against, most especially for small businesses that can’t afford the expensive equipment that could possibly detect the act in progress. Another attack uses purposefully placed USB devices. These devices are strategically planted in specific locations so that they will be found by employees of the business and then used on a business computer. USB devices are plug-and-play, meaning that there is no software that has to be installed prior to use. A very useful abuse of this technology entails putting software on the drive that automatically starts upon insertion to a PC. This software can be written to push a virus on to the host computer and then replicate over the company’s internal network, infecting all computers and reducing or even halting productivity. A worst case example would be putting a USB device in a bank parking lot, early in the morning, so that it will be found by bank employee and taken into the building. Eventually, that USB device will be inserted into a PC on the bank’s internal network. Upon insertion, a virus is copied over to that computer. The virus then automatically spreads to all computers on the bank’s internal network. Upon a specific time and date, the virus’s primary function will then be activated. Since the virus has spread internally, firewalls will not be able to protect the bank’s network. This is a new virus that has not ever been used before, so there are no antivirus definitions available. The virus could then attack in a variety of ways. It might simply erase a critical system file causing all workstations to not be able to boot. It could be used to establish a botnet that could then be used to perform a more powerful attack without being traced back to the responsible party. It may use a SQL injection attack to change data in the customer database; for example: account balances, billing addresses, names, PIN numbers, and etcetera. It might

SECURING THE USB INTERFACE 7

covertly make these changes to the backup database while corrupting the active database, causing the backup database to be activated. It could simply steal credit card data and send it out over the internet. The possibilities are as endless as the hacker’s imagination. Accidental loss of data happens when a USB device holding sensitive data is actually misplaced, as opposed to purposely misplaced in the previous example. As a salesman was planning a vacation and giving his customer information to another salesman in the company, he copied the customer data to a USB device but when he went to give it to the other salesman; he couldn’t find the device. This kind of loss is one of the worst things that can happen for a company. Even though the device may never be found and a data breach may never happen, by law the company must notify all customers that could be affected by the data loss. This incompetence reflects poorly upon the company and can cause customer distrust. There are three basic ways to protect against a USB based attack: hardware security, software security, and security policy. It takes the combination of all three in order to effectively protect the enterprise. Hardware security is something that, while being easy to implement, is often over looked. A system’s BIOS can be password protected and then set to disable some or all of the USB ports on the computer. This protection is only as secure as the BIOS password. Many times technicians will need the BIOS password in order to troubleshoot issues on a computer, so this shouldn’t be the sole protective measure. Some might ask why you would disable only select USB ports. It may be prudent to disable the USB ports on the back of a computer to reduce the chance of a USB based keylogger or remote access device to go unnoticed for extended periods of time. People are more likely to notice a new device plugged into the front of their computer, whereas they may have never even glanced at the back.

SECURING THE USB INTERFACE 8

Another hardware based solution is self-encrypting secure USB devices. These are devices that ask for a password in order to be used. Some have keypads on the USB device that require the code be punched in. Others use biometric security, asking for a thumbprint to unlock the device. Some of these devices use software based security which will be disabled by a prompt on the computer when the device is accessed. Some devices will employ a combination of hardware and software based security methods. There are many software based security packages. A very simple and fairly secure example is BitLocker that comes with Windows Vista, Windows 7, and Windows 8. It is designed to encrypt hard drives with an unbreakable encryption scheme using a key that is stored on an external device such as a USB device, smartcard, or a central server (Microsoft, 2009). IronKey has an all-inclusive enterprise security USB device that uses a combination of hardware and software. Using the IronKey USB drive, you can securely transfer files without worry of data loss. In order to access the drive, as soon as it is inserted into a computer, it accesses a central server which then prompts the user for a password, key, or biometric scan. If the password is not supplied, the drive can then be locked, causing the device to be returned to administration to be unlocked, or wiped clean, destroying all data on the drive (IronKey, 2012). Not all forms of encryption are equal, as is shown in IronKey’s submission to the NIST. Their drive, produced by Imation, meets the security requirements of the Federal Information Processing Standards Publication version 2, or FIPS 140-2, Level 3 (ImationCorp, 2011), which requires physical security mechanisims, including tamper-detection switches. There is a Level 4 specification, requiring environmental monitoring (Ambrose, 2009), that is not currently available in any unclassified device that I could find. This makes IronKey one of the most

SECURING THE USB INTERFACE 9

secure products available to date. IronKey’s solution is also one of the quickest, easiest to implement of the available options, but unfortunately one of the most expensive. Security Policy is often haphazardly, reactively thrown together after an attack has occurred. However, there are many published proactive solutions that include IT Security from both governments and industry organizations. COBIT, published by the ISACA, is in its 5th generation and is highly regarded as an industry standard framework for enterprise IT (ISACA, 2012). ITIL, or the IT Infrastructure Library, is 20 years old and on its 3rd version. It is published by the UK’s Office of Government Commerce and is the most widely used standard in the world (APM Group Ltd, 2011). The International Organization for Standardization, or the ISO, has developed ISO27k, a series of publications relating to IT Security, which has been adapted by many organizations and is part of the basis of both COBIT and ITIL (“ISO/IEC 27000-series”, n.d.).

SECURING THE USB INTERFACE 10

References Ambrose, John R., & Malinaik, Lisa. (2009) IC Simplifies Support For FIPS 140-2 Level 4 Digital Encryption. ElectronicDesign.com. Retrieved from http://www.electronicdesign.com/article/digital/ic_simplifies_support_for_fips_140_2_le vel_4_digital_encryption. APM Group Ltd. (2011). What Is ITIL?. Retrieved from http://www.itilofficialsite.com/AboutITIL/WhatisITIL.aspx. Cobb, Michael. (2009). How to secure USB ports on Windows machines. Retrieved from http://searchsecurity.techtarget.com/answer/How-to-secure-USB-ports-on-Windowsmachines. Fogle, Seth. (2007). Security Reference Guide: USB Hacks. ImformIT.com. Retrieved from http://www.informit.com/guides/content.aspx?g=security&seqNum=263. IronKey. (2012). Retrieved on May 20, 2012, from https://www.ironkey.com. ImationCorp. (2011). Imation S200/D200. Retrieved from http://csrc.nist.gov/groups/ STM/cmvp/documents/140-1/140sp/140sp1149.pdf. ISACA. (2012). COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. Retrieved from http://www.isaca.org/COBIT/Pages/default.aspx. ISO/IEC 27000-series. (n.d.). In Wikipedia. Retrieved May 20, 2012, from http://en.wikipedia.org/wiki/ISO/IEC_27000-series. Microsoft. (2009). Windows 7 Security Enhancements. Microsoft | TechNet. Retrieved from http://technet.microsoft.com/en-us/library/dd560691.aspx.

SECURING THE USB INTERFACE 11

Reichenberg, Nimrod. (n.d.). 7 Steps to Securing USB Drives. Retrieved from http://www.netsecurity.org/article.php?id=958. SanDisk Corporation. (2008). SanDisk Survey Shows Organizations at Risk from Unsecured Usb Flash Drives;Usage is More than Double Corporate IT Expectations. Retrieved from http://www.sandisk.com/about-sandisk/press-room/press-releases/2008/2008-04-09sandisk-survey-shows-organizations-at-risk-from-unsecured-usb-flash-drivesusage-ismore-than-double-corporate-it-expectations. Stephenson, Mike. (2007). USB Security 2007. Retrieved from http://www.scmagazine.com/usbsecurity-2007/grouptest/19/.

Capstone Competency Matrix
The purpose of the Competency Matrix is to give you the opportunity to state precisely which competencies are demonstrated in your capstone. Your capstone should demonstrate your mastery of at least ten different competencies from the following domains: Leadership and Professionalism, Upper Division Collegiate Level Reasoning and Problem Solving, Language and Communication, and Quantitative Literacy. The capstone will also demonstrate competency in at least one of the following Information Technology domains: Software, Networks, IT Management, Project Management, Security, or Databases. If you have selected an emphasis for your degree, at least one of the selected domains must reflect the emphasis area. For example, if you are enrolled in the BS IT Security Emphasis degree program, you must demonstrate competency in the security domain, although other competencies may be demonstrated as well. In the second column, write the competency you are demonstrating (do not just list a number). In the first column, write the domain to which the competency belongs. In the third column, give a brief explanation of how the capstone demonstrates mastery of the competency. Domain/Subdomain Leadership and Professionalism Leadership and Professionalism Upper Division Collegiate Level Reasoning and Problem Solving Upper Division Collegiate Level Reasoning and Problem Solving Language and Communication Language and Communication Quantitative Literacy Competency Organizational Culture Change Management Planning and Information Gathering Analysis and Interpretation of Information/Data Documenting Sources Adaptation Explanation I explain how to foster an environment of security through proper training of employees. I explain how to change from insecure to secure environment. I researched through many sources finding appropriate data for this topic, ruling out sources that were questionable or irrelevant. This topic required me to read through and compare many articles and compile information into a usable format. All sources are documented in APA format. The conclusion will be written for a specific audience of managers and IT professionals. Choosing which method takes priority is based on the statistical probability of attack and total risk of successful attack. Interpreted technical white papers into material intended to be read by a larger audience. Device Security is this project’s focus. I show how to protect data for the enterprise.

Applying Probability & Statistics Interpreting & Communicating Quantitative Information Device Security Data Security

Quantitative Literacy

Security Security